Root certificate debacle that hit Lenovo now visits the House of Dell.

Share this story

In a move eerily similar to the Superfish debacle that visited Lenovo in February, Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected website.

Further Reading

The self-signed transport layer security credential, which was issued by an entity calling itself eDellRoot, was preinstalled as a root certificate on at least two Dell laptops, one an Inspiron 5000 series notebook and the other an XPS 15 model. Both are signed with the same private cryptographic key. That means anyone with moderate technical skills can extract the key and use it to sign fraudulent TLS certificates for any HTTPS-protected website on the Internet. Depending on the browser used, any Dell computer that ships with the root certificate described above will then accept the encrypted Web sessions with no warnings whatsoever. At least some Dell Inspiron desktops, and variousPrecision M4800 and Latitude models are also reported to be affected.

The crowdsourced discovery came over the weekend, as Dell customers shared technical details of the eDellRoot certificate installed on recently purchased computers. Joe Nord, a self-described programmer, showed the certificate as it appears in the Microsoft Management Console:

Seeing is believing

Nord told Ars that he visited this HTTPS test site, which was created by security expert Kenn White using the private key contained in the Dell certificates. Nord said the Google Chrome and Microsoft Edge and Internet Explorer browsers established an encrypted Web session with no warnings, even though the certificate was clearly fraudulent. Fortunately, Firefox generated an alert warning that the certificate was not trusted. Kevin Hicks, another Dell customer known to be affected, reported the same findings. He included the following screenshot of Chrome running on his enterprise-grade laptop being fooled by White's test site:

Many of the most important questions around this troubling discovery remain unanswered. It's still not clear, for instance, how widely Dell has distributed the eDellRoot credential or if Dell distributes similar root certificates that are also signed with identical private keys. It's also not yet known if the certificate can be used to sign applications so that they bypasses Microsoft malware checks. Update: Researchers now say such code signing is possible, a finding that raises still more concerns. The purpose of the certificate isn't clear either, although there's some evidence the credential is linked to the Dell Foundation Service application. Rather than waiting hours or days for answers, Ars is publishing what is known now. To check if a particular computer is vulnerable, users can follow these instructions for using the Microsoft Management Console. The eDellRoot certificate will look similar to the one in the image above from Nord's computer.

Dell issued a statement early Monday morning that said technicians are investigating the reports. Until they and other outside experts weigh in, it's too early to say how widespread and severe this problem is. What is clear now is that the eDellRoot certificate was generated two months after the Superfish debacle came to light and that it poses a risk to at least some Dell customers. Ironically, Dell has publicly capitalized on the Superfish debacle even as it engaged in a blunder that poses the same threat to its own users. People who find this certificate installed on their computer should temporarily use only Firefox to browse to HTTPS-protected sites.

Affected people should also stay apprised of events and updates in the coming days. If the worst concerns about this root certificate are confirmed, Dell almost certainly will soon provide a tool to remove this credential. More on all of this will be coming in the hours or days to come.

Post updated throughout to add details as they became available.

Promoted Comments

I have Dell laptop from 2015 and all Opera, IE and Edge yelled on my when I visited that https test site. However, maybe I'm idiot but, these instructions are highly confusing, I don't know what am I supposed to do: https://msdn.microsoft.com/en-us/library/bb742442.aspx ??

They put the private key on the machine is (presumably), they want to be able to serve ads based your interests and the sites you visit regardless of what sites they are. Putting their root certificate on the machine means your browser will trust it implicitly, thus Dell can crack open your secure https/tls connections to be able harvest browsing data beyond just what sites you're visiting. Theoretically, they could inject their own ads into the pages you visit.

That's got to be it. If including the private key is intentional (I had assumed edellroot would be used for dell to customer communication authentication for support programs and whatnot). That's what including the private key allows them to do... To decrypt SSL, read/modify it, then re-encrypt it, without the browser throwing a flag.

I did some further research as the certificate was found on Dell Latitude 7440's as well that were deployed with Dell 7 Pro images. As other posters have stated, the certificate comes back after deleting it a short time after rebooting. So I grabbed one of the affected machines and started uninstalling each Dell app one at a time. After removing the Dell Foundation Services the cert stopped coming back "so far". One of the laptops were shipped with Dell 7 Pro downgrade from Dell and then upgraded to Windows 10 but I have another machine that wasn't upgraded to 10 which has the certificate from the 7 Pro image as well.

It's dated 11/22/2015 - yesterday. Coincidence, they are about to make an announcement, or trying to quickly sweep this under the rug?

It's described as:DFS stands for Dell Foundation Service and is an application we started installing in the factory to provide specific services facilitating customer serviceability, messaging and support functions. The future intent is to centralize features from other Dell applications providing a more seamless, easy user experience.Past versions also had issues using too much memory. http://en.community.dell.com/support-fo ... t/19616427